Cisco

Configuring Cisco AnyConnect Tunnel with the CLI

One main capability of the AnyConnect client is that it provides a virtual private network (VPN) connection from a remote location to a second secured location. This capability of AnyConnect can be deployed from both Adaptive Security Appliances (ASA) and from a device running a supporting version of IOS (assuming the license has been purchased).

Take a look at the configuration that is required to get this up and running on a Cisco IOS device. To start off, the licensing of the Security and SSL VPN licenses have already been installed on the device.

The first thing that is required is that the AnyConnect package must be retrieved from the Cisco website. You can find the files on Cisco’s website. To download them, a Cisco service contract is required; if this is not the case you may be able to get it from already deployed devices or from other locations on the web which I will not link to here.

The specific filename for the most up-to-date (as of this writing) Windows web deployment package is called anyconnect-win-3.1.02040-k9.pkg.

Use a TFTP server and transfer this file over to the IOS device, for this demonstration I used a 2911. The steps to install the package are shown in the tables below.

The next step is to enable AAA and create an authentication method list, for this example a local username database will be used for authentication.

4. Enable AAA

router(config)#aaa new-model

5. Create a device authentication method list

router(config)#aaa authentication loginmethod-list-namelocal

The next step is to configure a user (or users) that will be able to access the web interface to start a VPN session.

6. Create a username

router(config)#usernameusernamesecretpassword

The next step involves creating a virtual template interface; this will act as the VPN gateway. The IP address that is assigned to this interface must be in the same range as the one pool of IP addresses that are given out to the VPN client device.

7. Create the Virtual Template interface

router(config)#interface virtual-interface 1

8. Assign an IP address

router(config-if)#ip addressip-address mask

The next step involves the creation of an address pool that will be used to assign addresses to the remote client, as stated above these IP addresses should be in the same range as the IP address assigned to the virtual interface just created.

The next step involves the creation of a WebVPN gateway; the gateway will act as a proxy between the VPN client and the network (or networks) with secured access.

10. Create a WebVPN gateway

router(config)#webvpn gatewaygateway_name

11. Configuring the VPN headend IP address, the default port used is 443. Note: This is the address that the VPN client will connect to.

router(config-webvpn-gateway)#ip addressip-address

12. Configure an HTTP redirect; this will redirect clients which connect to port 80 to port 443 to ensure a secure connection.

router(config-webvpn-gateway)#http-redirect port 80

13. Put the WebVPN gateway into service (this is the equivalent to the no shutdown command on interfaces)

router(config-webvpn-gateway)#inservice

14. Configure an SSL trustpoint; this is used when a self signed certificate is being used. Note: A self-signed certificate is issued when the webvpn gateway command is run, to obtain the name of the trustpoint perform the do show running-config command and look for the text that starts with crypto pki trustpoint.

router(config-webvpn-gateway)#ssl trustpointtrustpoint-name

The next step involves the creation of a WebVPN context and policy; the context is used to define the virtual configuration of the SSL VPN and the policy defines the presentation and permissions of the web interface used by the remote user.

15. Create a WebVPN context

router(config-webvpn-gateway)#webvpn contextcontext-name

16. Associate an authentication method list Note: The method-list-name matches the list created in step 5.

router(config-webvpn-context)#aaa authentication listmethod-list-name

17. Associate a WebVPN gateway Note: The gateway_name matches the gateway created in step 10.

router(config-webvpn-context)#gatewaygateway_name

18. Limit the max number of users Note: This depends on the platform and the license; a demo 100 user license can be retrieved from Cisco for 60 days.

router(config-webvpn-context)#max-usersmax-users

19. Associate a Virtual Template

router(config-webvpn-context)#virtual-templatetemplate-number

20. Put the WebVPN context into service

router(config-webvpn-context)#inservice

21. Create a WebVPN policy

router(config-webvpn-context)#policy groupgroup-name

22. Configure the use of AnyConnect Full tunnel mode (mandatory mode is used)

router(config-webvpn-group)#functions svc-required

23. (Optional) Create a Split tunnel. By default, the configuration will tunnel all traffic from the client when the VPN is connected. Often only specific traffic needs to be tunneled and other traffic should be allowed to go through a separate gateway (typically an Internet connection).

25. Configure the WebVPN context to use the WebVPN policy that was just created. Note: The group-name matches the policy group created in step 21.

router(config-webvpn-context)#default-group-policygroup_name

To try to bring these concepts together this section will show an example.

Figure 1: Topology

For this example we will use the 203.0.113.1 address as the gateway address and include the 192.0.2.0/24 and 198.51.100.0/24 networks to be tunneled. All other traffic will go directly out to the remote host’s Internet gateway. All the commands that are required to configure this are shown in Figure 2.

There are certainly a number of different ways to set up a VPN both on Cisco equipment and on other vendor’s equipment. The AnyConnect tool is a nice package that combines a lot of different functionalities when used with the ASA platforms. Although these functions are limited to VPN when deploying from an IOS device, the interface is still the same and familiar if used across platforms.

Hopefully this article offered an overview of the configuration steps that are required to get this up and running on an IOS device, and will enable the successful configuration on the reader’s own equipment.

Ready to test your skills in CISCO? See how they stack up with this assessment from Smarterer, the newest addition to the Pluralsight family. Start this CISCO test now